mission inposible!

[munjeni]

. .

 

[CoolDevelopment]

is there any way to flash a bootloader for example the testpoint? would be funny to build it from source

 

[munjeni]

. .

 

[CoolDevelopment]

There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!

I wanted to mmap 0x80110000 memory and see what I can see there... but seems we can not open them? Since:

Do you have idea how we can read them?

sorry i don't know much about that..

can't we build a lk bootloader modified for our device?

 

[Rekoil]

There is no source for our bootloaders! I not tried to flash bootloader but I think its posible using dd since I know ta flashing is possible with dd so I think bootloader is possible too. I do not know if there is a hach check for bootloader partition (case if we flash cracked bootloader) but I will see very soon! In case, if there is no hash check and or if we are able to flash cracked bootloader, than we can bypass security check by cracking bootloader!

I would be very surprised if there's no signature-check for the bootloader partition, even the original (first) iPhone had a signature-check for the user-modifiable bootloader.

Perhaps a BROWN device (in SonyEricsson terms) would not have a check, but a retail device sure will.

 

[munjeni]

sorry i don't know much about that..

can't we build a lk bootloader modified for our device?

I am not sure since our phone use aboot. Did you found here on xda that somebody had luck with lk and xperia device? I not searched but maybe somebody had luck?

 

[munjeni]

. .

 

[CoolDevelopment]

Will have a look at it later

 

[zxz0O0]

The qualcomm boot chain verifies each part with a signature. I think what you modified is not part of the data which is used for calculating the signature.

There was a exploit in lk which allowed overwriting the signature check in lk with a modified ramdisk offset in the kernel (this allowed booting custom kernels with locked bootloader). But this exploit is patched now (you can see in lk, it checks ramdisk offset now) (see also http://blog.azimuthsecurity.com/2013/05/exploiting-samsung-galaxy-s4-secure-boot.html )

 

[munjeni]

. .

 

[munjeni]

. .

 

[zxz0O0]

We have runing ABOOT and not LK ! Every part of an binary is part of binary! In our way s1sbl is not signature checked! I think we are ready for cracking s1sbl!

ABOOT is a modified LK very close to source. Try modifing actual code of the bootloader binary first. I'm still pretty sure it's signature checked.

The boot files from the firmware are only flashed if the version is different. Each configuration is read and the phone checks the 'ATTRIBUTES VALUE'. If the attributes on the phone matches the attributes in the configuration, the files from the said configuration are flashed.

For example OTP_LOCK_STATUS you can find in service menu under Service tests => Security.

 

[munjeni]

Bad thing I have no flash mode and no fastboot

 

[munjeni]

. .

 

[CoolDevelopment]

Try flashing different commercial files and see which one lets you use fastboot and flashmode

Another thing which could be possible with a modified bootloader is using the fotakernel partition as our recovery, that would be great

 

[munjeni]

. .

 

[CoolDevelopment]

this might be interesting: http://forum.xda-developers.com/showthread.php?t=2147997

and after reading through the lk bootloader source it seems aboot is included in lk

 

[munjeni]

Flashed now 007B30E1 comercial version (have biger size) and its boot but no flashmode, seems we need to flash booth files provided in xml file for every configuration for getting fastboot and flashmode active.

 

[munjeni]

Strange thing:

dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/s1sbl

WTF not bricked? There is another partition similar with s1sbl with name alt_s1sbl (alternate partition), seems these partition is used if s1sbl partition is broken?

 

[zxz0O0]

On HTC phones you have right, but seems you are wrong for xperia! I have flashed it using DD command and its persistent!

Yes, of course.. I am talking about official firmware upgrade procedure.